whatisgithub

What is nginx-rift-private-lab?

hamid-k/nginx-rift-private-lab — explained in plain English

Analysis updated 2026-05-18

67PythonAudience · researcherComplexity · 5/5Setup · hard

In one sentence

A private lab reproducing a critical NGINX heap overflow vulnerability, CVE-2026-42945, including an ASLR bypass chain.

Mindmap

mindmap
  root((repo))
    What it does
      Reproduces NGINX CVE
      Heap buffer overflow
      ASLR bypass chain
    Tech stack
      Python
      NGINX
    Use cases
      Study the vulnerability
      Review exploit chain
      Check affected versions
    Audience
      Security researchers

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Study how a URL rewrite heap overflow bug in NGINX works

USE CASE 2

See a documented ASLR bypass built on a secondary PHP file read bug

USE CASE 3

Review the lab conditions required to reproduce the exploit safely

What is it built with?

PythonNGINX

How does it compare?

hamid-k/nginx-rift-private-labnvlabs/spatialclawshootthesound/comfyui-mesh
Stars676767
LanguagePythonPythonPython
Setup difficultyhardhardhard
Complexity5/55/54/5
Audienceresearcherresearcherdeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · hard Time to first run · 1day+

Requires a controlled lab matching specific conditions like PHP file read access and HTTP/2 enabled.

So what is it?

This repository is a private security research lab built around CVE-2026-42945, a critical vulnerability in the NGINX web server that was present in the codebase since 2008. The bug is a heap buffer overflow in the module that handles URL rewriting. An attacker can send a specially crafted HTTP request to a vulnerable server and, under the right conditions, execute arbitrary commands on that server without needing to log in. The technical cause is a mismatch between two passes in NGINX's script engine. The first pass calculates how much memory to allocate for a rewritten URL, and the second pass copies the data into that allocation. Because of a flag that only gets set during the copy pass, the copy writes more bytes than the allocation reserved, overflowing the heap buffer with content the attacker controls. The core proof-of-concept code came from the original CVE disclosure, produced by a security analysis tool called depthfirst. This fork extends that work with a more realistic attack chain that functions against servers where address space layout randomization is enabled. ASLR is a standard Linux security feature that randomizes memory locations to make exploits harder to write. The extended chain gets around ASLR by using a second vulnerability: a PHP local file read primitive on the same server. That flaw lets the researcher read files from the server's filesystem, including internal Linux process files that reveal where the NGINX worker process is loaded in memory. Once those addresses are known, the exploit can target the exact memory location it needs. The README carefully documents what conditions must be true for the exploit to work, including that PHP must be able to read certain process files and that HTTP/2 must be enabled. It is explicit that these are controlled lab conditions, not universal assumptions about real production servers. The vendor advisory and fixed versions are listed. NGINX Open Source versions 0.6.27 through 1.30.0 are affected, 1.31.0 and 1.30.1 contain the fix.

Copy-paste prompts

Prompt 1
Explain how the NGINX URL rewrite heap overflow in CVE-2026-42945 works
Prompt 2
Walk me through how this lab bypasses ASLR using the PHP file read bug
Prompt 3
What NGINX versions are affected and which versions fix this bug
Prompt 4
Summarize the conditions required for this exploit chain to succeed

Frequently asked questions

What is nginx-rift-private-lab?

A private lab reproducing a critical NGINX heap overflow vulnerability, CVE-2026-42945, including an ASLR bypass chain.

What language is nginx-rift-private-lab written in?

Mainly Python. The stack also includes Python, NGINX.

How hard is nginx-rift-private-lab to set up?

Setup difficulty is rated hard, with roughly 1day+ to a first successful run.

Who is nginx-rift-private-lab for?

Mainly researcher.

Open on GitHub → Ask about another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.